Lucene search
+L

12649 matches found

Cvelist
Cvelist
added 2026/07/01 3:11 p.m.40 views

CVE-2026-57517 Control Web Panel < 0.9.8.1225 Blind SQL Injection via userRes Parameter

Control Web Panel before 0.9.8.1225 contains a blind SQL injection vulnerability that allows unauthenticated remote attackers to execute arbitrary SQL queries by submitting unsanitized input through the userRes POST parameter at the user endpoint. Attackers can exploit MySQL root privileges...

9.8CVSS0.00587EPSS
Exploits2References3
CVE
CVE
added 2026/07/01 3:11 p.m.64 views

CVE-2026-57517

Control Web Panel prior to version 0.9.8.1225 is affected by CVE-2026-57517, a blind SQL injection via the userRes POST parameter at the user endpoint. The vulnerability allows unauthenticated remote attackers to execute arbitrary SQL queries, potentially leveraging MySQL root privileges obtained...

9.8CVSS6.7AI score0.00587EPSS
Exploits2References4
Positive Technologies
Positive Technologies
added 2026/07/01 12:0 a.m.11 views

PT-2026-54885

Name of the Vulnerable Software and Affected Versions Control Web Panel versions prior to 0.9.8.1225 Description An unauthenticated remote attacker can execute arbitrary SQL queries due to improper input validation and unsafe SQL query construction. This issue occurs at the 'user' endpoint throug...

9.8CVSS6.8AI score0.00587EPSS
Exploits2References13
Positive Technologies
Positive Technologies
added 2026/07/01 12:0 a.m.7 views

PT-2026-54861

Name of the Vulnerable Software and Affected Versions Craft CMS versions 5.0.0-RC1 through 5.9.22 Description A stored cross-site scripting issue exists where a user with author-level control panel permissions can embed a malicious JavaScript payload within an entry title. The execution occurs wh...

5.9CVSS6AI score0.00412EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/28 1:32 a.m.13 views

EUVD-2026-39974

MyBB 1.8.40 does not restrict which usergroup a limited Admin Control Panel user may assign when creating or editing users; the user module offers the Administrators group gid 4 and its datahandler's verifyusergroup unconditionally returns true. An admin holding only the delegated user-management...

8.6CVSS5.8AI score0.00272EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/26 10:12 p.m.11 views

EUVD-2026-38059

Statamic CMS: Missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources...

4.3CVSS5.8AI score0.00162EPSS
Exploits0References2
OSV
OSV
added 2026/06/26 8:43 a.m.11 views

BIT-GRAFANA-2026-9029 Stored XSS in the Geomap panel tile-layer attribution

A user with Editor permissions can place a malicious script in the attribution field of a Geomap panel's XYZ tile layer via a template variable. The script then executes in the browser of any user who views the affected dashboard stored cross-site scripting...

7.3CVSS6AI score0.0025EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/26 12:0 a.m.14 views

PT-2026-53029

Name of the Vulnerable Software and Affected Versions Statamic versions prior to 5.74.0 Statamic versions prior to 6.20.3 Description The Live Preview endpoint for existing entries and terms in src/Http/Controllers/CP/PreviewController.php only verifies view authorization but accepts and renders...

3.5CVSS5.3AI score0.00303EPSS
Exploits0References7
EUVD
EUVD
added 2026/06/25 3:0 p.m.7 views

EUVD-2026-39432

3X-UI is a web control panel for managing Xray-core servers. Prior to 3.3.1, an authenticated administrator can abuse the database import functionality to achieve arbitrary file write on the host by modifying Xray configuration values stored in the database. This can be leveraged to obtain code...

7.2CVSS6.4AI score0.00342EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/25 3:0 p.m.37 views

CVE-2026-55477 Authenticated Arbitrary File Write via Database Import and Xray Log Path Manipulation

3X-UI is a web control panel for managing Xray-core servers. Prior to 3.3.1, an authenticated administrator can abuse the database import functionality to achieve arbitrary file write on the host by modifying Xray configuration values stored in the database. This can be leveraged to obtain code...

7.2CVSS0.00342EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/24 6:32 p.m.8 views

EUVD-2026-38805

A Stored Cross-Site Scripting XSS vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Notifications Events panel...

4.8CVSS5.8AI score0.00239EPSS
Exploits0References3
NVD
NVD
added 2026/06/24 4:16 p.m.9 views

CVE-2026-50709

A Stored Cross-Site Scripting XSS vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Notifications Events panel...

4.8CVSS0.00239EPSS
Exploits0References2
AstraLinux
AstraLinux
added 2026/06/24 3:11 p.m.5 views

Astra Linux – Vulnerability found in Linux 6.1, Linux 6.12

In the Linux kernel, the following vulnerability has been resolved: drm/panel-simple: Fixed the connector type for the DataImage SCF0700C48GGU18 panel. The connector type for the DataImage SCF0700C48GGU18 panel is missing, and devmdrmpanelbridgeadd requires the connector type to be set. This...

5.7AI score0.00173EPSS
Exploits0References2
AstraLinux
AstraLinux
added 2026/06/24 3:11 p.m.5 views

Astra Linux – Vulnerability found in Linux 6.1, Linux 6.12

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check NULL before accessing WHAT IGT kmscursorlegacy’s long-nonblocking-modeset-vs-cursor-atomic fails with a NULL pointer dereference. This issue can be reproduced when both an eDP panel and a DP monitor are...

5.8AI score0.00179EPSS
Exploits0References3
CVE
CVE
added 2026/06/24 3:4 p.m.13 views

CVE-2026-50709

CVE-2026-50709 : In Frappe Framework 17.0.0-dev, a stored XSS vulnerability exists in the Notifications → Events panel due to improper neutralization of user-controlled input. The issue affects the rendering of color in Events and is described with a CVSS v4.0 base score of 4.8 (MEDIUM). The conn...

4.8CVSS5.8AI score0.00239EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/24 3:4 p.m.35 views

CVE-2026-50709 Frappe Framework 17.0.0-dev - Stored XSS in Notifications Events color rendering

A Stored Cross-Site Scripting XSS vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Notifications Events panel...

4.8CVSS0.00239EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/24 3:4 p.m.6 views

CVE-2026-50709

A Stored Cross-Site Scripting XSS vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Notifications Events panel...

4.8CVSS5.8AI score0.00239EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/06/23 7:11 p.m.11 views

AVideo Meet plugin: anonymous-to-admin stored XSS via unescaped participant User-Agent in getMeetInfo.json.php Participants panel

Summary The Meet plugin stores the raw HTTP User-Agent header of every meeting participant and later renders it without output encoding in the meeting-management "Participants" panel that the meeting host and site administrators open. An anonymous, unauthenticated attacker can join any public...

6.2AI score
Exploits0References2Affected Software1
OSV
OSV
added 2026/06/23 7:11 p.m.27 views

GHSA-7CQP-7CFV-6C3Q AVideo Meet plugin: anonymous-to-admin stored XSS via unescaped participant User-Agent in getMeetInfo.json.php Participants panel

Summary The Meet plugin stores the raw HTTP User-Agent header of every meeting participant and later renders it without output encoding in the meeting-management "Participants" panel that the meeting host and site administrators open. An anonymous, unauthenticated attacker can join any public...

6.4CVSS6.2AI score0.002EPSS
Exploits0References2
OSV
OSV
added 2026/06/23 5:39 p.m.4 views

CVE-2026-54317 Home Assistant: Konnected alarm-panel switch state and zone topology disclosed to unauthenticated actors on the LAN

Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.6.0, the Konnected integration registers an HTTP endpoint, KonnectedView homeassistant/components/konnected/init.py, that is marked as not requiring authentication requiresauth = False....

7.6CVSS5.9AI score0.00193EPSS
Exploits1References3
Rows per page
Query Builder